Skip to content

ci: reproducible images based on upstream releases #1

ci: reproducible images based on upstream releases

ci: reproducible images based on upstream releases #1

name: Image Release Build
on:
workflow_dispatch:
inputs:
tag:
description: container image tag
required: false
push:
tags:
- v[0-9]+.*
permissions:
# To be able to access the repository with `actions/checkout`
contents: read
# Push to ghcr.io
packages: write
jobs:
build-and-push:
timeout-minutes: 45
name: Build and Push Images
runs-on: ubuntu-22.04
strategy:
matrix:
include:
- name: cilium
dockerfile: ./images/cilium/Dockerfile
- name: operator
dockerfile: ./images/operator/Dockerfile
- name: operator-aws
dockerfile: ./images/operator/Dockerfile
- name: operator-azure
dockerfile: ./images/operator/Dockerfile
- name: operator-alibabacloud
dockerfile: ./images/operator/Dockerfile
- name: operator-generic
dockerfile: ./images/operator/Dockerfile
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Getting image tag
id: tag
run: |
if [ -z "${{ github.event.inputs.tag }}" ]
then
echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT
else
echo tag=${{ github.event.inputs.tag }}>> $GITHUB_OUTPUT
fi
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout Source Code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Determine SOURCE_DATE_EPOCH
id: epoch
run: echo epoch=$(git log -1 --pretty=%ct) >> $GITHUB_OUTPUT
- name: Release Build ${{ matrix.name }}
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
id: docker_build_release
env:
SOURCE_DATE_EPOCH: ${{ steps.epoch.outputs.epoch }}
with:
provenance: false
context: .
file: ${{ matrix.dockerfile }}
push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}
target: release
build-args: |
OPERATOR_VARIANT=${{ matrix.name }}
SOURCE_DATE_EPOCH=${{ steps.epoch.outputs.epoch }}
- name: Image Release Digest
shell: bash
run: |
mkdir -p image-digest/
job_name=${{ matrix.name }}
job_name_capital=${job_name^^}
job_name_underscored=${job_name_capital//-/_}
echo "${job_name_underscored}_DIGEST := \"${{ steps.docker_build_release.outputs.digest }}\"" > image-digest/makefile-digest.txt
printf "%s\n\n" "### ${{ matrix.name }}" >> $GITHUB_STEP_SUMMARY
echo "\`ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY
# Upload artifact digests
- name: Upload artifact digests
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: image-digest ${{ matrix.name }}
path: image-digest
retention-days: 10